Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #35

May 01, 2012

With all the bad news in cyber security, it is worth a moment of
reflection when there is some good news. The first story in this issue,
about the collegiate cyber competition is good news. In addition, more
than 1,000 college students participated last weekend in CyberQuests,
an online competition to determine eligibility for invitations and
scholarships at the three US National Cyber Camps (at San Jose State,
Cal Poly Pomona, and Virginia Tech in Northern Virginia this summer).
And finally, more than 500 high school students jointly launched (in
April) the all new Cyber Foundations competition, demonstrating their
aptitude in the three foundational skills of cyber security. Lacking
these three skills, no one can excel in cyber security. Add those
programs together, and you have the beginnings of a powerful national
pipeline of world-class cyber talent.

--SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats. http://www.sans.org/toronto-2012/

--Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years. http://www.sans.org/ipv6-summit-2012/

Plus Johannesburg, Brisbane, Atlanta, Boston, New York, Malaysia, and Tokyo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ********************************************************************

TOP OF THE NEWS

Mark Weatherford, Deputy Undersecretary for Cybersecurity at DHS reports on the NCCDC (national collegiate cyber defense) competition and on the top three scoring colleges. More than 1,200 students from 100 colleges are reported to have participated in regional competitions leading to the national finals in San Antonio. The top three schools were the University of Washington (1), the United States Air Force Academy (2), and Texas A&M (3). -http://blog.dhs.gov/2012/04/national-collegiate-cyber-defense.html

[Editor's Note (Paller): The Air Force Academy's number two position at the NCCDC, on top of its win in the 2012 National Security Agency's Cyber Defense Exercise (the most challenging collegiate cyber competition, -http://www.nsa.gov/public_info/press_room/2012/cdx2012.shtml) is evidence of extraordinary accomplishment in cybersecurity skills preparation. The nation has an extreme shortage of people who can operate in cyberspace at world-class levels; it's great to see a school doing what it takes to prepare the next generation of cyber operators. The US Military Academy at West Point has long been the leader in this category, but it has a new peer in the Air Force Academy. ]

Russia and US to Use Nuclear Secure Communications System for Cyber Security (April 26, 2012)

A secure communications system established to prevent misinterpreted activity that could escalate into nuclear war between the US and Russia is likely going to be expanded to perform the same function for cyber attacks. The Nuclear Risk Reduction center was created in 1988 to allow Washington and Moscow to communicate about missile tests and launches that could be misinterpreted as acts of aggression. Under the plan, the secure communications channel would also be used to provide the same type of reassurances regarding suspicious cyber activity. The channel would be used in the event that one of the countries detects what appears to be an attack emanating from computers in the other country and would be used only when the attack is perceived to be of "such substantial concern that it could be perceived as threatening national security." Russia has also requested a dedicated cyber incident phone hotline between the Kremlin and the White House. -http://www.washingtonpost.com/world/national-security/in-us-russia-deal-nuclear-communication-system-may-be-used-for-cybersecurity/2012/04/26/gIQAT521iT_story.html[Editor's comment (Northcutt): Failure to have good communications is the root cause of household and office drama, I would expect that the stakes increase with the size of nation state. I think this is a very good idea.]*************************** Sponsored Link: ************************** 1) New Analyst paper in the SANS Reading Room: A Review of Oracle Entitlement Server, by SANS Oracle Security expert, Tanya Baccam. Paper: http://www.sans.org/info/104474 ************************************************************************

THE REST OF THE WEEK'S NEWS

UK High Court Says ISPs Must Block The Pirate Bay (April 30, 2012)

The UK High Court has ruled that internet service providers (ISPs) there must block users' access to The Pirate Bay. Late last year, the British Phonographic Industry (BPI) asked ISPs to block access to the site voluntarily. The BPS's request followed a court ruling that ordered ISPs to block access to Newzbin 2. The ISPs responded to the BPI's request by saying they would not block sites without a court order. Critics observe that for the determined, there are always ways to circumvent blocked sites. Supporters note that the court order serves to underscore the illegality of piracy. Critics have also called the order a slippery slope that could easily lead to further censorship of the Internet. -http://www.bbc.co.uk/news/technology-17894176-http://www.wired.com/threatlevel/2012/04/uk-pirate-bay-blocked/[Editor's Note (Murray): ISPs should not be in the position of judge, jury, and executioner just because someone in power complains. A finding by a court may not be perfect, or even correct, but it is the difference between the Rule of Law and that of men.]

The US Federal Communications Commission (FCC) has released statistics on wireless carriers' efforts to alert their customers when they are approaching caps on data, text messages, and other services. Last October, US wireless carriers agreed to establish the text message alert systems so that users would be able to rein in their activity or switch to a higher service tier rather than incur charges for exceeding their limits. According to a 2011 FCC survey, more than 15 percent of mobile phone customers had been hit with overage charges of US $50 or more. The providers agreed to establish the text message services within a year. Six months out, T-Mobile has established overage alerts for voice, data, and international roaming. Verizon has implemented alerts for data and international roaming. AT&T has established an alert for data overages and Sprint has established an alert to let customers know when they are approaching their limit on international roaming. -http://www.cnn.com/2012/04/30/tech/mobile/wireless-data-alerts-gahran/index.html-http://www.fcc.gov/encyclopedia/bill-shock-wireless-usage-alerts-consumers

RuggedCom Will Issue Firmware Updates for Backdoor (April 30, 2012)

Canadian company RuggedCom says it will remove an embedded backdoor login account from its industrial control systems. The vulnerability has been known for more than a year; last week, the problem was disclosed publicly. The flaw was discovered by Justin W. Clarke after he purchased two used RuggedCom devices on eBay. Clarke notified RuggedCom about the problem in April 2011. When RuggedCom did not address the issue, Clarke contacted the US Department of Homeland Security's Industrial Control System Cyber Emergency Response Team and CERT Coordination Center at Carnegie Mellon University. RuggedCom now plans to release new versions of its firmware to remove the account in its products, which are used on power grids and systems that control railways and traffic. The update, which will be released in the next several weeks, will disable telnet and remove shell services by default. The issue illustrates a problem in the development cycle at RuggedCom. Apparently the developer backdoor was included in the final release of the products. Security researcher Reid Weightman wrote that "nobody and no process at RuggedCom stopped it, and RuggedCom has no process to address security concerns in already-released products." -http://www.wired.com/threatlevel/2012/04/ruggedcom-to-fix-vuln/

VMWare Issues Security Advisory for ESX (April 30, 2012)

VMWare has issued a security advisory warning users about several security issues in versions 4.0 and 4.1 of ESX enterprise level computer visualization product. The vulnerabilities could be exploited by a local user in a guest virtual machine to obtain elevated privileges, or by a remote user to cause denial-of-service (DOS) conditions. -http://www.h-online.com/security/news/item/VMware-patches-vulnerabilities-in-ESX-4-1-1564129.html-http://www.vmware.com/security/advisories/VMSA-2012-0008.html[Editor's Note (Murray): Vulnerabilities in the infrastructure are one of the reasons we've learned over the years not to trust the infrastructure to secure the infrastructure. As data centers are increasingly virtualized there is still a need for have layers of security separate from the virtualization infrastructure. ]

According to Russian security company Dr. Web, Snow Leopard is the version of Mac OS X most likely to be infected by the Flashback malware. Dr. Web has been analyzing data from infected machines gathered through sinkhole techniques. Other findings are that most machines were infected through drive-by downloads; when users refused to enter a password, the attack was still successful. Snow Leopard accounts for 63 percent of infected machines, while Leopard accounts for 25 percent. Just 10 percent of the infected machines are running Lion. While some could point to Apple lagging behind in security, the fact that older versions of OS X are much more likely to be infected than newer versions speaks to Apple's decision to stop bundling Java in its most recent operating system, a positive security decision. -http://news.cnet.com/8301-1009_3-57424299-83/snow-leopard-hit-hardest-by-flashback-malware/

Experts Tell Lawmakers That Iran Poses Cyber Threat (April 26, 2012)

Policy and technology experts told US legislators that Iran poses a more dangerous cyber threat than do Russia or China. At an April 26 joint hearing of the House Homeland Security Committee's Cybersecurity, Infrastructure Protection, and Security Technologies, and Counterterrorism and Intelligence subcommittees, legislators heard testimony from experts who said that while China and Russia are usually considered the US's greatest cyber adversaries, "what [Iran ] lacks in capability, it makes up for in intent." At another congressional subcommittee hearing on April 24, James Lewis, senior fellow at the Center for Strategic and International Studies, said that China and Russia "aren't going to start a war just for fun," but that the same could not be said of Iran and North Korea. Witnesses at the hearings said that the US needs to take concrete steps in its cyber security stance and create policy that leaves no room for misinterpretation. -http://gcn.com/articles/2012/04/26/iran-dangerous-cyber-threat-house-hearing.aspx************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/